Clone phishing

How it works

The attacker takes a legitimate email, such as a delivery notice or invoice, recreates it closely, and sends it from a spoofed or lookalike address with a note like a resend or update. Because the format matches something the recipient has seen before, suspicion is low and the malicious link or attachment gets the click.

It often follows a mailbox compromise that gave the attacker the original messages to copy.

How it relates to brand impersonation

Clone phishing is brand impersonation built on familiarity, reusing your real templates against your customers. The sender domains and landing pages behind it are the usual lookalikes.

How nebty helps

nebty monitors for the lookalike domains used to send and host clone-phishing campaigns against your brand and removes them on demand.

How to spot a cloned message

Clone phishing is hard to catch because the email is a faithful copy of one you really did receive, often a delivery notice, an invoice, or a password-reset message, resent with the links or attachments swapped. The framing explains why it looks familiar: it claims to be a resend, an update, or a correction to the earlier legitimate message. The tells are subtle. The sender address is a lookalike or spoof rather than the exact original, the message arrives unexpectedly soon after the real one, and the link, on inspection, points somewhere new. Because it often follows a mailbox compromise that gave the attacker the original, treat any unexpected resend as suspect and verify through the account or company directly. For a brand, the sending and hosting domains are the usual lookalikes, which monitoring can flag and takedowns can remove.